Monday, August 29, 2022

Plex breach

I've been a fan of Plex for quite a bit. But recently, Plex did something that I really didn't like. They got breached.

Sure, I know, these things happen. But these things should not happen.

Any company that pretends to be technology based or handles money -- and that includes companies such as Plex -- knows that there are people that will try to break in, and need to secure their servers.

Plex got hacked. Somebody broke in and got user information. And I got an email last week:

Dear Plex User,

We want you to be aware of an incident involving your Plex account information yesterday. While we believe the actual impact of this incident is limited, we want to ensure you have the right information and tools to keep your account secure.

What happened

Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.

What we're doing

We've already addressed the method that this third-party employed to gain access to the system, and we're doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions. While the account passwords were secured in accordance with best practices, we're requiring all Plex users to reset their password.

What you can do

Long story short, we kindly request that you reset your Plex account password immediately. When doing so, there's a checkbox to "Sign out connected devices after password change." This will additionally sign out all of your devices (including any Plex Media Server you own) and require you to sign back in with your new password. This is a headache, but we recommend doing so for increased security. We have created a support article with step-by-step instructions on how to reset your password here.

The email was even longer than what I've posted here, but that covers the main parts of it.

I'll give Plex credit for not hiding it, as some companies have done, and letting users know, as well as suggesting that password changes be conducted.

But ... this never should have happened. No company worth a darn should let something like this happen. Somebody didn't do their job.

Things like this are quite aggravating. I want to simply stream content, both from the Internet and play my local content. I just want to enjoy my Streaming Life. I don't want to have to worry about my personal data being compromised because somebody was too busy to do their job.

No comments:

Post a Comment

Your comments are welcome. Abusive or off-topic comments will be removed.